Fortinet has patched a critical remote code execution (RCE) vulnerability in its FortiClient Enterprise Management Server (EMS) for managing endpoint devices.
The defect, identified as CVE-2024-48788, results from a SQL injection error in a storage component connected directly to the server. It offers unauthenticated attackers the ability to execute arbitrary code and commands with system administrator privileges on affected systems using specially crafted requests.
Vulnerability of critical severity
Fortinet gave the vulnerability a severity score of 9.3 out of 10 on the CVSS rating scale, and the National Vulnerability Database itself gave it a near-maximum score of 9.8. The flaw is present in multiple versions of FortiClientEMS 7.2 and FortiClientEMS 7.0, and Fortinet recommends that organizations using the affected versions upgrade to the newly patched FortiClientEMS 7.2.3 or later, or to FortiClientEMS 7.0.11 or later.
The vendor credited a researcher from the FortiClientEMS development team and the UK’s National Cyber Security Center (NCSC) with discovering the flaw.
The company’s advisory offered scant details about the vulnerability. But researchers at Horizon3.ai who reported numerous previous bugs in Fortinet technologies this week said yes compromise release indicatorsa proof-of-concept (PoC) exploit and technical details of the bug next week.
So far there have been no reports of exploit activity in the wild targeting the flaw. But that could change quickly when details of the bug and PoC become available next week, meaning organizations have a relatively small window of opportunity to address the vulnerability before attacks begin.
Popular target of attackers
“Fortinet devices have been frequently targeted by attackers with several notable flaws observed since 2019,” Tenable warned in an advisory on CVE-2024-48788. As an example, he pointed to the security vendor CVE-2023-27997, a critical heap-based buffer overflow vulnerability in multiple versions of Fortinet’s FortiOS and FortiProxy technology and CVE-2022-40684, an authentication bypass flaw in FortiOS, FortiProxy, and FortiSwitch Manager technologies sold by a threat actor for initial access purposes.
“Other vulnerabilities in Fortinet devices have has attracted the attention of multiple threat actors nationwide AND ransomware groups like Conti. Fortinet vulnerabilities were included as part of the lists of the most routinely exploited vulnerabilities in recent years,” Tenable said.
Fortinet vulnerabilities also appeared in warnings from the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and others about flaws that nation state-backed threat actors they have often exploited in their campaigns. The most recent of these warnings concerned attempts by Volt Typhoon and other Chinese-backed threat groups to break in and maintain persistent access ON US critical infrastructure networks.
Two unpatched Fortinet bugs
Meanwhile, in a separate development, researchers at Horizon3.ai this week made it public revealed more details about 16 flaws they reported to Fortinet in 2023, all but two of which the company has already patched. The flaws, some of which Horizon called critical, affect Fortinet’s Wireless LAN Manager (WLM) and FortiSIEM technologies. Vulnerabilities include SQL injection issues, command injection flaws, and those that allow arbitrary file reads.
Among the vulnerabilities that Horizon3.ai highlighted in its blog this week are CVE-2023-34993; CVE-2023-34991; CVE-2023-42783; AND CVE-2023-48782.
According to Horizon3.ai, CVE-2023-34993 allows an unauthenticated attacker to execute arbitrary code on affected endpoints using specially crafted requests. CVE-2023-34991 is an unauthenticated SQL injection vulnerability that gives attackers a way to access and abuse a built-in image list function in Fortinet WLM; CVE-2023-48782 is a command injection flaw; and CVE-2023-42783 allows an unauthenticated attacker to arbitrarily read files on affected systems.
Horizon3.ai identified the two vulnerabilities that remain unpatched as of March 13, 2024, as an unauthenticated restricted log file read bug and a static session ID vulnerability.